Methods and apparatus for generating endorsement credentials for software-based security coprocessors

ABSTRACT

A virtual manufacturer authority is launched in a protected portion of a processing system. A key for the virtual manufacturer authority is created. The key is protected by a security coprocessor of the processing system, such as a trusted platform module (TPM). Also, the key is bound to a current state of the virtual manufacturer authority. A virtual security coprocessor is created in the processing system. A delegation request is transmitted from the processing system to an external processing system, such as a certificate authority (CA). After transmission of the delegation request, the key is used to attest to trustworthiness of the virtual security coprocessor. Other embodiments are described and claimed.

CROSS REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of U.S. Provisional Application No.60/681,094, filed on May 13, 2005, and entitled Methods and ApparatusPertaining to Software-Based Security Coprocessors.

FIELD OF THE INVENTION

The present disclosure relates generally to the field of dataprocessing, and more particularly to methods and related apparatus tosupport secure virtualization.

BACKGROUND

A conventional processing system may include hardware resources, such asa central processing unit (CPU) and random access memory (RAM), as wellas software resources, such as an operating system (OS) and one or moreend-user programs or applications. An application is typically developedto run on a particular OS. When a typical conventional computer systemis started, it loads the OS before loading the end-user programs orapplications. The OS typically serves as an intermediary betweensoftware applications and the hardware in a processing system.

In addition to RAM and one or more CPUs, a processing system may includea security coprocessor (SC) such as a trusted platform module (TPM). ATPM is a hardware component that resides within a processing system andprovides various facilities and services for enhancing the security ofthe processing system. For example, a TPM may be implemented as anintegrated circuit (IC) or semiconductor chip, and it may be used toprotect data and to attest to the configuration of a platform.

A TPM may be implemented in accordance with specifications such as theTrusted Computing Group (TCG) TPM Specification Version 1.2, dated Oct.2, 2003 (hereinafter the “TPM specification”), which includes parts suchas Design Principles, Structures of the TPM, and TPM Commands. The TPMspecification is published by the TCG and is available from the Internetat www.trustedcomputinggroup.org/home.

The sub-components of a TPM may include an execution engine and securenon-volatile (NV) memory or storage. The secure NV memory is used tostore sensitive information, such as encryption keys, and the executionengine protects the sensitive information according to the securitypolicies dictated by the TPM's control logic.

In general, a TCG-compliant TPM provides security services such asattesting to the identity and/or integrity of the platform, based oncharacteristics of the platform. The platform characteristics typicallyconsidered by a TPM include hardware components of the platform, such asthe processor(s) and chipset, as well as the software residing in theplatform, such as the firmware and OS. A TPM may also support auditingand logging of software processes, as well as verification of platformboot integrity, file integrity, and software licensing. It may thereforebe said that a TPM provides a root of trust for a platform.

Accordingly, when a processing system such as a server handles requestsfrom other processing systems such as clients, the server may enforcesecurity policies based on TPM-based attestation. For instance, theserver may be configured to deny requests from any client system unlessthose requests are accompanied by valid, TPM-based platform attestationfrom that client system. When a conventional processing system uses aTPM, however, that processing system may be able to support only onesoftware environment at a time.

Virtualization products provide features for partitioning a processingsystem into multiple virtual machines (VMs). For instance,virtualization products may partition and manage a processing system'shardware resources in a way that allows multiple OSs to execute on thesame machine concurrently. Specifically, each OS may run in a differentVM. Each VM may therefore be considered a substantially independentsoftware environment. An OS running in a VM may be referred to as aguest OS. The VMs may be managed by virtualization products such as avirtual machine monitor (VMM) or hypervisor.

As recognized by the present invention, it would be advantageous if aVMM could allow each of the OSs to operate substantially as if that OSwere in its own independent physical machine. U.S. patent applicationSer. No. 10/876,944 (“the '944 application”), which is assigned to thesame entity as the present application, discusses features to supportuse of TPMs by VMs. The present application discloses additionalfeatures and capabilities relating to TPMs and virtualization.

BRIEF DESCRIPTION OF THE DRAWINGS

Features and advantages of the present invention will become apparentfrom the appended claims, the following detailed description of one ormore example embodiments, and the corresponding figures, in which:

FIG. 1 is a block diagram depicting a suitable data processingenvironment in which certain aspects of an example embodiment of thepresent invention may be implemented;

FIG. 2 presents a block diagram depicting an example TPM, with regard tovarious structures and keys to support functions such as TPMvirtualization;

FIG. 3 is a block diagram showing various components of an examplegeneralized virtual TPM framework and related items;

FIG. 4 presents a block diagram of an example embodiment of a virtualTPM double wrapped key; and

FIG. 5 is a block diagram illustrating example components and operationsto prepare a virtual manufacturer authority to provide securityattestation for a virtual TPM.

DETAILED DESCRIPTION

Platform partitioning technologies, such as technologies for creatingVMs, have recently received increased attention for their potentialsecurity value. Virtualization technologies allow a platform to be splitinto VMs, with each VM possibly running less software than today'scomplex platforms. Separately, as indicated above, the TCG has provideda standard for hardware augmented security to facilitate the creation ofprocessing systems that can be classified as trusted platforms. A TPMmay provide the root of trust for a trusted platform.

It would be advantageous if all software in a given VM could beidentified, and if a TPM could meaningfully attest to all software inthat VM. However, sharing a TPM for use by multiple VMs is difficult, atleast in part because of the stateful and opaque nature of the TPM.

A well-written VMM should prevent malicious software running in one VMfrom tampering with software running in another VM. Additionally, usingthe TCG trusted boot model, it would be advantageous if a TPM couldmeasure the OS and applications in each VM to provide data protectionfor the OS and applications as well as to facilitate attestation toremote entities.

Unfortunately, the measurement facilities of the TPM are designed tostore the measurements of exactly one operating system. ConventionalTPMs lack the ability to separately store measurements of multipleconcurrently running OSs. Furthermore, due to the closed, smartcard-likenature of the TPM, its state cannot be read or swapped out. As a result,traditional techniques for device sharing or virtualization cannot beused for TPMs.

FIG. 1 is a block diagram depicting a suitable data processingenvironment 12 in which certain aspects of an example embodiment of thepresent invention may be implemented. Data processing environment 12includes a processing system 20 that includes one or more processors orcentral processing units (CPUs) 22 communicatively coupled to variousother components via one or more system buses 24 or other communicationpathways or mediums.

As used herein, the terms “processing system” and “data processingsystem” are intended to broadly encompass a single machine, or a systemof communicatively coupled machines or devices operating together.Example processing systems include, without limitation, distributedcomputing systems, supercomputers, high-performance computing systems,computing clusters, mainframe computers, mini-computers, client-serversystems, personal computers, workstations, servers, portable computers,laptop computers, tablets, telephones, personal digital assistants(PDAs), handheld devices, entertainment devices such as audio and/orvideo devices, and other devices for processing or transmittinginformation.

Processing system 20 may be controlled, at least in part, by input fromconventional input devices, such as keyboards, mice, etc., and/or bydirectives received from another machine, biometric feedback, or otherinput sources or signals. Processing system 20 may utilize one or moreconnections to one or more remote data processing systems 76-78, such asthrough a network interface controller (N IC), a modem, or othercommunication ports or couplings. Processing systems may beinterconnected by way of a physical and/or logical network 80, such as alocal area network (LAN), a wide area network (WAN), an intranet, theInternet, etc. Communications involving network 80 may utilize variouswired and/or wireless short range or long range carriers and protocols,including radio frequency (RF), satellite, microwave, Institute ofElectrical and Electronics Engineers (IEEE) 802.11, Bluetooth, optical,infrared, cable, laser, etc.

Within processing system 20, processor 22 may be communicatively coupledto one or more volatile or non-volatile data storage devices, such asrandom access memory (RAM) 26, read-only memory (ROM), mass storagedevices such as integrated drive electronics (IDE) hard drives, and/orother devices or media, such as floppy disks, optical storage, tapes,flash memory, memory sticks, digital video disks, biological storage,etc. For purposes of this disclosure, the term “ROM” may be used ingeneral to refer to non-volatile memory devices such as erasableprogrammable ROM (EPROM), electrically erasable programmable ROM(EEPROM), flash ROM, flash memory, etc. Processor 22 may also becommunicatively coupled to additional components, such as videocontrollers, small computer system interface (SCSI) controllers, networkcontrollers, universal serial bus (USB) controllers, input devices suchas a keyboard and mouse, etc. Processing system 20 may also include oneor more bridges or hubs 34, such as a memory controller hub, aninput/output (I/O) controller hub, a PCI root bridge, etc., forcommunicatively coupling various system components. As used herein, theterm “bus” may be used to refer to shared communication pathways, aswell as point-to-point pathways.

Some components, such as a NIC for example, may be implemented asadapter cards with interfaces (e.g., a PCI connector) for communicatingwith a bus. In one embodiment, one or more devices may be implemented asembedded controllers, using components such as programmable ornon-programmable logic devices or arrays, application-specificintegrated circuits (ASICs), embedded computers, smart cards, and thelike.

As illustrated, processing system 20 also includes a TPM 30communicatively coupled to processor 24. TPM 30 may also be referred toas a physical TPM or hardware TPM (hwTPM) 30. In one embodiment, TPM 30is implemented as an embedded device, residing on a system motherboardor backplane of processing system 20. TPM 30 includes several storagefacilities, including volatile platform configuration registers (PCRs)and authorization sessions, as well as persistent data integrityregisters (DIRs), authorization digests, and general use persistentstorage. Each of these facilities may have a corresponding in-memorydata structure.

The invention may be described by reference to or in conjunction withassociated data including instructions, functions, procedures, datastructures, application programs, etc., which, when accessed by amachine, result in the machine performing tasks or defining abstractdata types or low-level hardware contexts. The data may be stored involatile and/or non-volatile data storage.

For instance, RAM 26 may include one or more sets of instructions which,when executed, implement a generalized virtual TPM (GVTPM) framework 40to support secure virtualization of TPM 30. GVTPM framework 40 may alsobe referred to as a virtual TPM service. For purposes of thisdisclosure, a virtual TPM (vTPM) is a logical (i.e., primarilysoftware-implemented) component that provides TPM-like functionality.Likewise, a virtual security coprocessor (vSC) is a logical device whichprovides functionality like that which could potentially be provided bya hardware security coprocessor.

In one example embodiment, GVTPM framework 40 may operate partially orcompletely from within a VMM 64. In another embodiment, GVTPM framework40 resides in one or more service VMs supported by the VMM. The serviceVMs may be referred to as lightweight VMs, since they may require fewerresources than a VM with a guest OS. In alternative embodiments, some orall of the modules for GVTPM framework 40 may reside in the firmware orany other protected environment. Different embodiments of the GVTPMframework may provide virtual TPM services for a wide variety of VMMarchitectures. In other embodiments, GVTPM framework 40 may not be partof a VMM at all.

In the example embodiment, processing system 20 may load VMM 64 into RAM26 at boot time or at some later time to support one or more VMs 60A-60Cwithin processing system 20. VMM 64 may be implemented through executionof software or firmware components such as a micro-kernel and a serviceOS. The micro-kernel may include a small nucleus of instructions forsystem management tasks such as instruction scheduling. The service OSmay include device drivers and environment virtualization software forcreating and maintaining VMs. The device drivers in the service OS mayinclude a TPM driver for communicating with TPM 30. Alternatively, asillustrated in FIG. 3, the TPM driver 130 may be loaded into a differentsoftware component, such GVTPM manager 110. Processing system 20 mayload the instructions that implement VMM 64 and GVTPM framework 40 fromROM and/or from one or more local or remote mass storage devices, forinstance. Any additional instructions used to support or facilitate TPMvirtualization may also be loaded from ROM and/or from one or more localor remote mass storage devices, for instance. In the example embodiment,VMM 64 supports multiple VMs 60A-60C, each running its own independentguest OS. One or more of the VMs may run a trusted software stack or TCGsoftware stack (TSS), in compliance with TCG standards.

For purposes of this disclosure, vTPMs, proprietary vSCs, and similarvirtual devices may be referred to as device models (DMs). In theexample embodiment, such device models are supported by GVTPM framework40. In addition, GVTPM framework 40 may support multiple DM designs. Forexample, as described in greater detail below with regard to FIG. 3,GVTPM framework 40 may create vTPMs based on one DM design, and GVTPMframework 40 may create proprietary vSCs based on another DM design.Thus different DM designs may be used to facilitate virtualization ofdifferent types of security coprocessors. GVTPM framework 40 may thussupport vTPMs and other vSCs with different security and performancetradeoffs. Since the vSCs are not limited to vTPMs, GVTPM framework 40may also be referred to as a virtual security coprocessor (vSC)framework.

As illustrated in FIG. 1, in one embodiment, processing system 20includes a data storage device 28 containing one or more VM definitions41, 51. In one embodiment, the VM definitions may reside on a hard diskdrive (HDD). In alternative embodiments, the VM definitions may residein other types of storage devices. For instance, VM definitions may beretrieved from a remote system and loaded into RAM 26 or into cachememory of processor 22. A VM definition may define the attributes to beincluded in a virtual machine. For instance, when VMM 64 determines thatis should create VM 60A, processing system 20 may treat VM definition 41like a boot block, with GVTPM framework 40 measuring VM definition 41,and then VMM 64 passing control to initialization instructions or bootcode within VM definition 41. VM 60A may be instantiated, at least inpart, through execution of that boot code. In particular, vTPM 44A maybe created for VM 60A based in control logic and/or initialization datawithin VM definition 41. As described in greater detail below, thatcontrol logic may constitute or include the program code segment (PCS)45 for implementing vTPMs. Similarly, VM definition 51 with thecorresponding PCS 55 may be used to create VM 60C and the correspondingvSC 44C.

In the example embodiment, GVTPM framework 40 operates from protectedhost memory. For example, processing system 20 may use technology suchas that described in U.S. Pat. Nos. 6,507,904; 6,633,963; and/or6,678,825 (all assigned to Intel Corporation) to load GVTPM framework 40into, and execute GVTPM framework 40 from, an isolated area of memorythat is protected by hardware from access or tampering from software inother partitions. In alternative embodiments, other techniques may beused to provide protected memory. For instance, an environment mayinclude a system management mode (SMM) that provides protected memory,or a protected execution environment could be created using atamper-resistant software compiler. Other components (e.g., VMM 64, themicrokernel, etc.) may also reside in protected memory areas. In theexample embodiment, the protected memory ensures that thesoftware/instructions can run without interference or observation.

The protected memory may also serve to prevent unauthorized programsfrom accessing or tampering with sensitive information. For example, asdescribed in greater detail below, GVTPM framework 40 may create avirtual TPM 44A to emulate a hardware TPM for VM 60A. GVTPM framework 40may use protected memory to store and protect data stored in structuresof vTPM 44A.

As illustrated in FIG. 3, GVTPM framework 40 may include a protectedstorage service (PSS) 100, and PSS 100 may use TPM 30 to protect vTPMseven when the vTPMs are not running. For example, when a vTPM is notactively operating, persistent data structures for that vTPM may bestored on disk and sealed to the PCRs of the vTPM service with theparent SRK.

In the example embodiment, vTPM 44A is able to transparently provide TPMfunctionality both from itself and from hwTPM 30 under a single userauthorization session. The vTPM 44A accomplishes this objective bymaintaining separate authorization sessions with both the user and thehwTPM. That is, the user will create an authorization session with vTPM44A as if vTPM 44 a were a hwTPM. The vTPM 44A may complete all the sameauthorization checks based on this session that a hwTPM would do. IfvTPM 44A can provide a requested function directly, vTPM 44A may simplyupdate the session nonces and reply back. If vTPM 44A needs the hwTPM toprovide the service, vTPM 44A will create an authorization session orreuse an existing authorization session with the hwTPM to make therequest. Once vTPM 44A is done using the hwTPM, vTPM 44A may update thenonces on the user's session and reply back.

In the example embodiment, GVTPM framework 40 provides an executionenvironment for trustworthy virtual TPMs (vTPMs) 44A and 44B, and/or forother TPM-like virtual components, such as vSC 44C. In order to protectsensitive data used by vSCs 44A-44C, GVTPM framework 40 uses TPM 30 toensure that the trustworthiness of the vSCs are anchored in hardwarethat meets the expectation of software that uses a TPM. For purposes ofthis disclosure, the terms virtual TPM and vTPM are used to refer tosoftware emulations or simulations of physical TPMs, as well as softwareemulations of similar kinds of security subsystems.

GVTPM framework 40 may allow multiple mutually distrustful and/orunaware guests to share the TPM without requiring modifications to guestOSs or to applications running on guest OSs. Additionally, GVTPMframework 40 may include features to provide the necessary environmentfor creating custom cryptographic subsystems with enhanced proprietaryfunctionality. This disclosure also describes additional TPM featuresfor optimizing virtualization under frameworks such as GVTPM framework40.

The remainder of this detailed description of one or more exampleembodiments proceeds as follows: The Security Background sectionprovides background on the TPM. The Generalized Virtual TPM Frameworksection discussed an example framework. The Example vTPM Device ModelDesigns section describes two example vTPM designs or design models. TheHardware Optimizations section describes example hardware features thatmay facilitate TPM virtualization. Next are sections on RemoteDeployment and Provisioning of Virtual TPMs and on Migrating VirtualTPMs.

1.0—Security Background

1.1—TPM Functional Introduction

The industry consortium TCG has standardized the TPM as a smallcryptographic subsystem that promises to provide a foundation for truston a platform. To this end, the TPM provides functions to facilitateattestation and protected storage.

The core of the TPM's functionality lies in its ability to storeinformation about the platform's configuration. This information canthen be used for both of the TPM's primary functions. The platform canprovide information to a remote entity necessary to allow the remoteentity to make decisions about the trustworthiness of the platform. Theplatform can also instruct the TPM to ensure that keys or sensitive dataare only released while the system is in a known “good” configuration.

In order to store the platform state, a conventional TPM uses the PCRsto store measurements in the form of 160-bit SHA1 (secure hashingalgorithm 1) hashes of software and configuration information for theplatform. These measurements start at the boot block. Each bootcomponent measures the next, records it in the TPM, and then launchesthat component until the operating system takes over the measurement ofits core. Because each write to the PCRs adds a measurement to theregister, rather than overwriting the previous measurement, no entitycan change the measurement of its code made by the preceding component.Thus, a chain of measurements is made, such that if the beginning of thechain (known as the Root of Trust for Measurement) and each link aretrustworthy, the entire chain is trustworthy.

1.2—Attestation

Attestation refers to the set of TPM functions and protocols that enablethe platform to report its configuration to a remote party in atrustworthy manner. For example, the TPM provides the ability to signthe PCRs used to store the platform state. For instance, a platform mayuse an attestation identity key (AIK) to sign the PCRs. Such signed PCRsmay be referred to as a quote.

To provide proof to a remote entity that the quote was signed by a realTPM, each TPM has a set of credentials. For instance, an endorsementcredential signed by the TPM manufacturer states that the TPM meets theTPM specification. The manufacturer also stores a unique key known asthe endorsement key (EK) in the TPM, and the manufacturer uses the EK tosign the endorsement credential. Theoretically, the EK could be useddirectly to sign a quote of the PCRs. However, since the EK is unique, athird party is used instead, to provide privacy. Specifically, theplatform uses a third party known as the privacy certification authority(CA) to create an identity credential for each AIK. TCG has defined aprotocol that allows the TPM to prove to the privacy CA that the TPM isa real TPM, using the EK and the endorsement credential. In turn, theprivacy CA creates identity credentials for AIKs that the TPM claims itowns.

Assuming a remote entity trusts the manufacturer of the TPM, the privacyCA, and the root of trust for measurement, a quote signed by an AIK thatis accompanied by an identity credential is cryptographic proof of thecurrent state of the platform. For example, if a conventionalattestation approach were used in a network environment similar to thatillustrated in FIG. 1, a remote processing system such as privacy CA 76could provide an identity credential for an AIK of a conventional TPM,and processing system 20 could use that identity credential to make atrustworthiness assertion to a remote processing system such aschallenger 78. As described in greater detail below, however, thepresent disclosure introduces a modified attestation approach to supportvirtual security processors or virtual TPMs for partitions such asvirtual machines 60A-60C in devices such as processing system 20, forexample.

FIG. 2 is a block diagram depicting an example TPM, such as TPM 30, withregard to various structures and keys to support functions such as TPMvirtualization. In FIG. 2, the EK of TPM 30 is illustrated as hwEK 52,the storage root key is illustrated as hwSRK 50, and the endorsementcredential provided by the TPM manufacturer is illustrated as EK_Cred54. FIG. 2 also depicts PCRs 32 and DIRs 36 within storage 38.

1.3—Secure Storage

Another set of services the TPM provides is the secure storage of keysand other data. The TPM can create Rivest-Shamir-Adleman (RSA) keys,which it will only allow use of once (a) the requester providesauthorization via a secret SHA1 hash and (b) the current configuration,as determined by the PCRs, indicates a “good” state. This powerfulfunction allows the platform to encrypt data such that, if the machineis compromised, booted from external media, or otherwise tampered with,the data will remain inaccessible.

To support services such as secure storage, the TPM creates keys withsingle-purpose types for different operations. The key of type EK isonly available for decrypting identity credentials from the privacy CA.AIKs are used to sign other keys and to quote PCRs. Storage keys (SKs)are used to protect other keys or to “seal” data, which is a specialencryption of data that protects the data with a password or PCRbindings. Binding keys (BKs) are used to encrypt arbitrary data, and toconvert data into a TPM-bound data structure. Signing keys (SigKs) areused for signing arbitrary data. Lastly, legacy keys can sign or encryptdata and do not require that the data be in the form of a TPM-bound datastructure.

Each TPM has two core keys, an EK and a special type of SK known as thestorage root key (SRK). The SRK is the top of the hierarchy of keys thatcan be created by the system or users. This hierarchy is built onStorage Keys as branches and any of the other types, other than the EKtype, as leaves. Of the keys in the hierarchy, only the SRK and EK arerequired to be loaded in the TPM at all times. Other keys may be storedoutside the TPM encrypted as a “wrapped key,” and loaded prior to use.Wrapped keys are described in greater detail below. Once a key isloaded, it can perform any functions, provided that the key type iscorrect for the operations, proper authorization is given, and the PCRsmatch any PCR binding specified by the key.

1.4—TPM Components

TPMs, smartcards, the model 4758 cryptographic coprocessor fromInternational Business Machines Corp., and other similar devices orsubsystems are, in essence, small self-contained computing environmentswhich generally contain perimeter protections such as tamper resistance.Consequently, such devices can be trusted to do certain computationswithout relying on external resources for operation.

A typical TPM includes the following four components.

-   -   1. Program code segment (PCS): The code segment of a TPM's        control logic, which is typically in ROM and stored as read-only        data.    -   2. Processor: A small CPU which executes the PCS.    -   3. Non-volatile memory (NV memory or NVM): The NVM is the        storage within the TPM where persistent keys, secrets, and other        state of the TPM are stored. It is typically located in        tamper-resistant flash, which is preserved across restarts.    -   4. Active memory: This is the volatile memory used to store        non-persistent data that is lost on power off.

The technical capabilities of devices built from these primitives arelimited primarily by their internal resources. In practice, as a resultof efforts to avoid high development and deployment costs, these devicestypically include only a few simple, general purpose constructs for dataprotection. For example, in a typical device, simple encryption anddecryption functions are available, but sophisticated access controlpolicies are not. The framework disclosed herein alleviates this problemby providing computational areas which do not have the same resourceconstraints, and which are inexpensive to develop and deploy.

2.0—Generalized Virtual TPM Framework

FIG. 3 presents a block diagram showing various components of an exampleGVTPM framework and related items. In the illustrated embodiment, GVTPMframework 40 includes several components which help to provide variousfunctional and security properties of the TPM components.

Also, the GVTPM PSS 100 serves as the central repository for the NVM ofeach DM, while the platform's CPU 22 and RAM 26 provide the processorand active memory resources. Since PSS 100 provides protected storagefor the persistent data of each DM, PSS 100 may also be referred to asprotected persistent storage. In the example embodiment, GVTPM framework40 imposes a security requirement that the platform will isolate the useof CPU 22 and RAM 26 to ensure the framework is protected from the restof the platform. One way to meet the isolation requirement is toimplement the components in a trusted virtual machine monitor (TVMM) oruse a TVMM to isolate GVTPM framework 40 in its own VM. In the exampleembodiment, VMM 64 is generally accepted as a TVMM. Alternativeembodiments may not store the NVM within the PSS. The PSS may insteadencrypt the NVM similar to that above and may return the NVM to thevSCs.

Additionally, a GVTPM manager 110 provides creation, deactivation, andother management functions for vSCs 44A-44C, and virtual manufactureauthorities (MAs) 124, 126 are used to obtain credentials for vSCs44A-44C. GVTPM framework 40 also includes a key and session manager 140,which GVTPM manager 110 uses for tasks such as swapping out keys andauthorization sessions when one vTPM is unloaded from processor 22 andanother vTPM is ready to become active. For instance, keys belonging tovTPMs which are loaded but not currently scheduled for execution onprocessor 22 may be removed to make room for the keys needed by a vTPMthat is (or will soon be) scheduled to run on processor 22.

In the example embodiment, all components of GVTPM framework 40 areisolated from the rest of the system, in order to ensure the security ofthe secrets stored in these components.

2.1—GVTPM Device Models

GVTPM framework 40 may use VM definition 41 to create DMs 44A and 44B,and GVTPM framework 40 may use VM definition 51 to create DM 44C. GVTPMframework 40 may use virtualization events (VEs) when providing or usingDMs. For instance, a VE may be triggered when software in VM 60Aattempts to access a TPM. In response to the VE, control may betransferred from VM 60A to VMM 64. GVTPM manager 110 may intercept theVE to process the event by reference to vTPM 44A. In the exampleembodiment, although VM 60A may be unaware of any TPM other than vTPM44A, GVTPM manager 110 may use hwTPM 30 to support vTPM 44A.

In effect, the DMs extend the GVTPM functionality to the OS partitions,such as VMs 60A-60C. The protection perimeter of each DM is provided bythe environment it is executing in, such as the TVMM. By placing theperimeter around each GVTPM component and each DM individually, each DMmaintains isolation in the event of another DM being compromised.Accordingly, the data structures implemented within the DM in accordancewith the device model design may be considered tamper-resistantstructures of the device model.

The design of the framework allows for flexibility in the design ofdevice models. For example, any functionality allowed by the VMM may runin a DM, as opposed to the limited functionality supported by a typicalhardware SC. In the case of proprietary functionality, the flexibilityof the framework allows for a wide variety of encryption algorithms,signature schemes, access control policies, and storage mechanisms.

In the example embodiment, for virtual TPMs, each DM manages its own setof TPM structures and resources, including its own EK, SRK, PCRs, DIRs,monotonic counters, a user key hierarchy, general purpose NVM, etc. Thisenables the vTPM to function identically to a hardware TPM, ensuringthat applications may use either hardware or virtual TPMs transparently.

In the example embodiment, vTPM 44A uses software to provide simulated,persistent, monotonic counters. The number of counters may besubstantially unlimited. In the example embodiment, vTPM 44A at leastprovides the four counters expected from hwTPMs. The vTPM counters maynot require any direct link to the hardware TPM counters.

Virtual PCRs such as vPCRs 92 do not have the resource constraints ofhwTPMs, but instead may have a configurable number of PCRs available tothem. In the example embodiment, vPCRs 92 are stored in the memory spaceof vTPM 44A in PSS 100, and vTPM 44A emulates the standard PCRoperations on vPCRs 92.

The framework allows individual DM designs the ability to balanceperformance and security. Some implementations may enjoy fasterencryption operations or enhanced migration by implementing keys insoftware within the DM, while others may require that all keys alwaysreside in the hardware TPM and that the DM act as a portal to them.Additionally, this approach transparently allows different DM designs totune their services to match the data protection and cryptography lawsof different geographies.

As described in greater detail below, GVTPM manager 110 may provide adifferent virtual manufacturer authority (vMA) for each DM design. Forinstance, in FIG. 3, virtual manufacturer authority 124 services DMsbased on the DM design provided by VM definition 41, and virtualmanufacturer authority 126 services DMs based on the DM design providedby VM definition 51.

2.2—GVTPM Manager

GVTPM manager 110 is the central management component for GVTPMframework 40. In the example embodiment, GVTPM manager 110 is themanagement component responsible for vTPM provisioning, bridging theother framework components, and granting serialized access to TPM 30 forthe DMs. In one embodiment, GVTPM manager 110 provisions new DMs byrequesting that VMM 64 (a) create the necessary VMs and (b) providecommunication channels. During the process of provisioning a new DM,GVTPM manager 110 will collect any information that PSS 100 requires toauthenticate the DM, such as measurement of the DM code. For example,GVTPM manager 110 may measure the PCS within the particular VMdefinition that serves as the basis for instantiating the DM inquestion. For instance, VM definition 41 may include a PCS 45 for aparticular type or model of TPM, while VM definition 51 may include aPCS 55 for a particular type or model of smartcard. In one embodiment,each different DM design to be supported by the processing system isdefined completely or primarily by a PCS within a VM definition.

GVTPM manager 110 may provide communication channels between eachparticular OS partition and the respective DM. GVTPM manager 110 mayalso provide communication channels between itself and each DM. GVTPMmanager 110 provides the DM access to other GVTPM components, such asaccess to a virtual manufacturer authority, access to PSS 100, andserialized access to hwTPM 30. GVTPM manager 110 is therefore in chargeof sharing hwTPM 30 across multiple DMs. The primary resources undermanagement are the set of loaded keys and authorization sessions.Sharing techniques such as those proposed in the Core Services portionof the TPM specification reference above may be fitting for this task.

In the example embodiment, GVTPM manager 110 ensures that only one vTPMaccesses TPM 30 at a time. In addition, GVTPM manager 110 swaps keys andauthorization sessions in and out of TPM 30 to ensure each vTPM has theresources it requires.

2.3—GVTPM Protected Storage Service

To maintain flexibility in the DMs, GVTPM framework 40 imposesrelatively few requirements on how each DM functions. In one embodiment,the only requirement is that all persistent data (e.g., keys, counters,NVM data, and any other state the vTPM needs in order to function acrosssystem reboots) is copied from NVM to active memory on load, and thensaved back to NVM when necessary. In accordance with this requirement,the PSS is responsible for protecting the DM's NVM while the DM is notoperating. After the DM loads, it is the responsibility of the TVMM toprovide isolation and protection of the data while the DM is executing.

In the example embodiment, PSS 100 authenticates the vTPM and ensuresthat the state of a vTPM is only loaded into the vTPM that stored thestate previously. PSS 100 also ensures the integrity of the storedstate, and provides anti-replay protection. To protect the offline NVMfor each DM, PSS 100 provides strong authentication and protectionmechanisms that are rooted in TPM 30. This authentication identifies thePCS of the DM that saved the NVM previously, and ensures that the PCShas not been tampered with since the NVM was saved. In addition toauthenticating the PCS that is loading the NVM, it is also critical thatthe TPM ensures that the TVMM, GVTPM manager 110, and any other codewith the capability to undermine the component isolation have not beentampered with since the NVM was saved.

To do this, in the example embodiment, the hash of the GVTPM componentswill be stored in a PCR in TPM 30, as will the hash of all software inthe underlying trusted computing base (TCB). In general, the term TCBrefers collectively to the components of a processing system that canaffect the fundamental security policies of the processing system. Forinstance, the TCB may include the hardware, the boot code, the kernel,the configuration files that control system operation, and any programthat can run with the privilege or access rights to alter the kernel orthe configuration files. In the example embodiment, TPM 30 will detecttampering of GVTPM components or the TCB, will prevent the release ofsecrets to an inappropriate DM, and will ensure that the proper memoryprotections are still in place.

2.3.1—Saving NVM

In the example embodiment, whenever an operation changes the NVM of aDM, the DM issues a request to PSS 100 to save its NVM. In alternativeimplementations, DMs can be designed to delay the saving of their NVMs,to increase performance at the possible cost of lower assurance.

When PSS 100 receives the NVM, the NVM arrives as opaque data. The NVMdata is considered opaque because PSS 100 does not analyze the NVM datait receives. PSS 100 may simply generate a nonce and then encrypt theNVM data and the nonce. In the example embodiment, PSS 100 uses its ownnon-migratable TPM key to perform the encryption, and this key has itsPCR binds set to the measurements of the platform TCB, GVTPM manager110, and PSS 100. By using PCR bindings, TPM 30 will ensure that thisblob can only be decrypted by the key when the TCB and GVTPM manager 110are unmodified. PSS 100 may then give a copy of the encrypted NVM blobto the DM.

Once the NVM blob is saved, PSS 100 measures the DM, and PSS 100 recordsthe measurement of the DM, the NVM blob identity, and the nonce, in apersistent database. The hash of the blob may serve as a good uniqueidentifier. If this DM has a previously saved state, PSS 100 mayoverwrite the old record with the new record.

2.3.2—Restoring NVM

In the example embodiment, when a DM starts up, it requests that itspreviously stored NVM be restored by PSS 100. In response, PSS 100 firstcalculates the identifier for the blob, allowing PSS 100 to look up therecord in the database. Next, PSS 100 measures the DM and verifies thatthe DM measurement matches that in the record. Then, PSS 100 uses itsTPM key to decrypt the blob, and verifies the nonce inside.

In the example embodiment, before restoring the NVM, PSS 100 ensuresfive conditions:

-   -   NVM corresponds to the requesting DM.    -   NVM is the most recent NVM for that DM.    -   NVM is unmodified since storing.    -   NVM blob was created by PSS 100.    -   The TCB has not changed since the NVM was stored.

Comparing the DM measurements ensures meeting condition 1. Thecombination of a successful lookup and a successful decryption indicatesthat conditions 2 and 3 are also true. Inclusion of the secret nonceindicates that the PSS created this blob and it is not a forgery usingthe PSS public key, hence ensuring condition 4. Lastly, the successfuluse of the PSS TPM key to do the decryption indicates that the TPM hasverified that the GVTPM framework and the TCB are both in the same stateas they were before.

Once all five conditions are verified, the opaque NVM is returned to theDM, and the DM proceeds through its initialization.

2.4—Virtual Manufacturer Authority

In many cases, it is valuable to have evidence that a given key residesin a DM, which in turn resides in a given GVTPM environment. In the caseof a hardware TPM, the TPM manufacturer signs the endorsement credentialto state that the EK is protected inside the TPM, and the platformmanufacturer signs the platform credential to state that the TPM residesin a TCG compliant platform. In GVTPM framework 40, each virtualmanufacturer authority acts in a similar fashion, certifying that keysreside in a DM which complies with a particular device model withinGVTPM framework 40 within a TCG compliant platform.

In effect, GVTPM framework 40 allows a trusted certificate authority todelegate TPM manufacturer and platform manufacturer status to a virtualmanufacturer authority. In an example embodiment, the virtualmanufacturer authority is a piece of measurable software on the platformacting as the TPM manufacturer, the platform manufacturer, or both. Thevirtual manufacturer authority allows platforms using virtualization tosecurely create new vTPMs with the appropriate credentials required forattestation.

FIG. 5 is a block diagram illustrating example components and operationsto prepare a virtual manufacturer authority to provide securityattestation for a vTPM. In FIG. 5, the hardware of processing system 20is depicted collectively as platform hardware 252. That hardwareincludes TPM 30. Running on top of the hardware are one or more trustedpartitions. In one embodiment, those partitions include VM 60A and a vMApartition 254. VMM 64 may operate in third distinct partition. One ormore of the partitions may be implemented as virtual machines, forinstance. In alternative embodiments, one or more of the components canshare a protected partition.

In the example embodiment, the virtual manufacturer authorities residelocally on processing system 20 within a trusted component. For example,virtual manufacturer authority 124 may reside within a trusted VMM 64 orin a trusted partition 254 (e.g., a trusted VM) supported by VMM 64.However, in alternative embodiments, virtual manufacturer authoritiesmay reside in firmware or any other protect partition where they can bemeasured and that measurement can be stored in a platform's TPM. ThevTPMs also reside locally on processing system 20 within a trustedcomponent. For instance, vTPM 44A resides in VM 60A in the exampleembodiment.

Each virtual manufacturer authority creates a signing key 250 within TPM30, to be used for signing TPM credentials. In the example embodiment,in order to make the certification from virtual manufacturer authority124 meaningful, virtual manufacturer authority 124 first convinces athird party (e.g., an external CA) that the configuration of virtualmanufacturer authority 124 is trustworthy and that the signing key ofvirtual manufacturer authority 124 is protected by a TPM. This thirdparty may be considered a virtual manufacturer certifying authority(VMCA). In essence, the VMCA is an entity trusted by privacy CAs todetermine which GVTPM environments are trustworthy enough to manufacturereliable virtual TPMs. The same entity can serve as the privacy CA andthe VMCA, or, as depicted in FIG. 1, privacy CA 76 and VMCA 77 may beseparate entities, with privacy CA 76 trusting VMCA 77 to accuratelyassess vSC frameworks and DMs.

In the example embodiment, when processing system 20 launches VMM 64,and when VMM 64 creates partition 254 and loads virtual manufacturerauthority 24 into that partition, the values in PCRs 32 are modified toreflect the evolution of the platform, as indicated by arrows 270 and271.

As indicated by arrow 272, virtual manufacturer authority 124 thencreates a TPM signing key 250 that is bound to the state of virtualmanufacturer authority 124 as well as any software that affects theintegrity of the virtual manufacturer authority 124, such as GVTPMframework 40, VMM 64, and any other components in the TCB, as reflectedin PCRs 32. Virtual manufacturer authority 124 then proves to VMCA 77that TPM 30 will not allow any entity other than virtual manufacturerauthority 124 to access to that TPM signing key.

The bindings to the state of the virtual manufacturer authority and theTCB prove that virtual manufacturer authority 124 will operate inaccordance with the policies embodied in GVTPM framework 40. Virtualmanufacturer authority 124 thus proves that it is controlled by aspecified platform and software configuration. Signing key 250 thereforeimplicitly verifies that any virtual TPMs created by GVTPM framework 40will operate in accordance with the policies embodied in GVTPM framework40. VMCA 77 can then decide whether that environment is trustworthy, forinstance by reference to a list of approved environments.

For instance, virtual manufacturer authority 124 in FIG. 3 may use aprotocol to prove to VMCA 77 that the signing key 250 for virtualmanufacturer authority 124 resides in TPM 30 and is only available tovirtual manufacturer authority 124 when processing system 20 is in thesame configuration as when the signing key was created. One example ofsuch a protocol is for virtual manufacturer authority 124 to create anAIK within the TPM 30. Through standard channels, virtual manufacturerauthority 124 then acquires an identity credential for this key, whichis signed by a privacy CA and is proof that any claims made by theidentity key are made by a trusted TPM. This identity key is then usedto certify signing key 250, which is a process by which TPM 30 uses theidentity key to sign a statement that the signing key is located in thesame TPM as the identity key, and the signing key is bound to thespecified configuration that ensures trust for the environmentsupporting virtual manufacturer authority 124. When this statement iscombined with the identity credential, which says that identity is in areal TPM, it is derived that the signing key 250 of virtual manufacturerauthority 124 is protected by a legitimate TPM and only available foruse in the specified configuration that provides trust for theoperations of virtual manufacturer authority 124.

Once virtual manufacturer authority 124 convinces VMCA 77 that virtualmanufacturer authority 124 has a TPM signing key bound to a particularconfiguration, VMCA 77 makes an informed decision on whether thatconfiguration is safe enough to be trusted. If this configuration isdeemed sufficiently trustworthy, VMCA 77 creates a certificate with thepublic portion of the signing key which states that VMCA 77 hasdelegated power to sign endorsement credentials and platform credentialsto the virtual manufacturer authority's signing key. This certificate ispushed through the network of other CAs that trust the decisions of VMCA77.

The validity period on the credential of a virtual manufacturerauthority and on credentials signed by the virtual manufacturerauthority will likely be proportional to how extensive was the review ofthe GVTPM framework and its TCB. The discovery of a vulnerability in theGVTPM framework or the underlying TCB should result in removal of trustin the GVTPM DMs. Under such circumstances, VMCA 77 would wish to revokethe delegation to the virtual manufacturer authority, and wouldtypically inform the network of other CAs that VMCA 77 no longer truststhat virtual manufacturer authority. For instance, after delegatingauthority to virtual manufacturer authority 124, if VMCA 77 subsequentlydetermines that the configuration of virtual manufacturer authority 124and/or its vTPM architecture are vulnerable, VMCA 77 can revoke thisdelegation.

After VMCA 77 accepts the proof from virtual manufacturer authority 124,virtual manufacturer authority 124 may use signing key 250 to attest tothe trustworthiness of virtual TPMs such as vTPM 44A. Specifically, inthe example embodiment, virtual manufacturer authority 124 generates newendorsement and platform credentials 260 based on information about vTPM44A, as indicated by arrow 274, and virtual manufacturer authority 124uses signing key 250 from TPM 30 to sign those credentials withoutfurther interaction with VMCA 77. That new signature 262 is thereforeappended to certificates 260 to create the finished certificate 280, asindicated by arrow 276. Certificates such as finished certificate 280that have been signed by a virtual manufacturer authority may bereferred to as vMA certificates or vMA credentials.

Virtual TPM 44A may then use vMA credentials 280 in the same manner asif they were credentials for a hardware TPM signed by a TPM manufacturerand a platform manufacturer. Processing system 20 can therefore createvirtual security coprocessors such as vTPM 44A in real time (i.e.,without the delay associated with obtaining credentials from an externalprocessing system), while still providing high security assurance.

As indicated above, in the example embodiment, at least each type of DMhas its own virtual manufacturer authority. For example, a particularGVTPM framework may include one virtual manufacturer authority for allTPM DMs, and different virtual manufacturer authorities for eachproprietary DM design. Accordingly, virtual manufacturer authority 124may service vTPMs 44A and 44B, for instance. In the example embodiment,when processing system 20 creates a new vTPM, such as vTPM 44A, GVTPMmanager 110 provides virtual manufacturer authority 124 with theendorsement key for the new vTPM, along with any other informationnecessary for virtual manufacturer authority 124 to create anendorsement credential and platform credential that properly identifythe software extension to TPM 30 and the software platform which thevTPM architecture resides in. Virtual manufacturer authority 124 is thenresponsible for signing those endorsement and platform credentials,using signing keys endorsed by a trusted CA.

The paragraphs above describe an example embodiment in which a virtualmanufacturer authority uses signing keys and identity keys from a TPM toattest to the virtual manufacturer authority's configuration. Othertypes of security subsystems, such as proprietary security coprocessors,and other types of keys may be used in alternative embodiments.Similarly, other approaches may be used to verify that the configurationfor the virtual manufacturer authority is acceptable to an external CAserving, in effect, as a VMCA. For example, the external CA may seal asecret to a key in such a manner that the secret can be unsealed by avirtual manufacturer authority only if the virtual manufacturerauthority has a predetermined configuration. After the external CAtransmits the secret to the virtual manufacturer authority, if theconfiguration of the virtual manufacturer authority matches thepredetermined configuration, the virtual manufacturer authority will beable to unseal the secret. The virtual manufacturer authority may thensend proof to the external CA that the virtual manufacturer authoritywas able to unseal the secret. In response, the external CA may delegatethe requested authority to the virtual manufacturer authority. Thevirtual manufacturer authority may then use the delegated authority tosign credentials for the vTPM.

The following paragraphs describe example protocols that may be used bya virtual manufacturer authority to obtain acknowledgement from a VMCA,as well as example methods for creating such credentials.Acknowledgement from the VMCA may provide the virtual manufacturerauthority with the credentials needed to sign TPM and non-TPMcredentials.

2.5—vTPM Credentials

As indicated above, each virtual manufacturer authority may first createa TPM identity key (AIK) and acquire an identity credential from atrusted third-party CA (TTPCA) using the process outlined in the TCGspecification. The TTPCA may be a TCG privacy CA, for instance. Thevirtual manufacturer authority then creates its signing key, bound tothe current platform configuration. For example, virtual manufacturerauthority 124 may use the TPM_CertifyKey operation to have TPM 30 usethe virtual manufacturer authority's AIK to sign the properties of thesigning key, including its migration abilities and the PCRs to which itis bound. Virtual manufacturer authority 124 may then send theCertifyKey results along with the identity credential to VMCA 77.

Generally, VMCA 77 should trust the identity credential, which wassigned by a TCG privacy CA. The credential indicates that the identitykey resides in a valid TPM, and the CertifyKey certificate indicatesthat the signing key will only be available to that specific virtualmanufacturer authority and TCB.

Once VMCA 77 is convinced that virtual manufacturer authority 124 istrustworthy, VMCA 77 will delegate TPM manufacturer status to virtualmanufacturer authority 124. For instance, VMCA 77 may create adelegation certificate and distribute that certificate to TCG privacyCAs.

Virtual manufacturer authority 124 may then use the delegated TPMmanufacturer status to create an endorsement credential and a platformcredential for a DM (e.g., vTPM 44A). The model fields in thesecredentials may indicate both the hardware and software platform onwhich vTPM 44A resides. In one embodiment, for the endorsementcredential, the model field would indicate the hardware TPM model andthe GVTPM manager 110. For the platform credential, the model fieldwould indicate the hardware platform and the TCB, which includes VMM 64and similar software.

2.6—Non-vTPM Credentials

A proprietary DM (e.g., DM 44C) that does not adhere to TCGspecifications should not have an endorsement or platform credential;though, it can still benefit from similar credentials. The developer ofa proprietary DM might operate its own evaluator service, similar to aprivacy CA, for the express purpose of issuing credentials, so that thedeveloper can guarantee a key is in an instance of the developer's DMbefore data is encrypted to that key. The precise protocol for doing sois completely up to the entity that designed the proprietary DM and thevirtual manufacturer authority that corresponds to that DM.

3.0—Example vTPM Device Model Designs

This section describes two example DM designs for creating vTPMs. ForGVTPM framework 40, these correspond roughly to opposite ends of thespectrum from strict security to greater performance and flexibility.The first model, referred to as the software-based DM, recognizes thatonce the vTPM is anchored in TPM hardware, software can provide completeTPM functionality to the OS in a VM. All private keys are stored in thedevice model's memory, as is all other data stored in the virtual TPM.In the second model, referred to as the hardware-based DM, all keys arestored in the hardware TPM. In the second model, when a key is used, thedevice model issues a request to the TPM to use the key. In the firstmodel, the vTPM is not hindered by the performance limitations of theTPM, while the second still relies on the hardware TPM to service mostrequests. The security difference between the first model and the secondmodel during normal functioning is identical. However, the resultingstate of the system and its secrets after a compromise has occurred isdifferent between the models.

If the DM or the VMM of the platform is compromised, all data stored inthe DM's memory may be compromised. During the compromise, both modelsmay allow the attacker to use keys in that vTPM. Once the vulnerabilityis patched and the compromise is ended, access to those keys isterminated in the hardware-based DM. However, in the case of thesoftware-based DM, the private keys may have been permanentlycompromised since they were available in memory.

In most environments, the software-based approach can achieve anadequate level of security. However, in environments in which it is moreexpensive to revoke and regenerate compromised keys, the hardware-basedapproach may be appropriate, since compromises would be temporary. Thesetypes of environments might include a server where high performance,highly tamper-resistant TPMs are used to protect important corporatekeys. The proposed framework leaves these choices to the implementers,who can decide on the preferred approach for meeting the assurance needsof a particular implementation. For example, a hybrid approach that usesthe TPM to house some keys and/or data structures may be appropriate forcertain implementations.

3.1—Software-based vTPM Device Model

A completely software-based vTPM DM uses few or no hardware TPMresources for providing TPM functionality. Once the PSS and the hardwareTPM have guaranteed that the DM and the TCB are the same as thosereflected in the credentials of the DM, the DM is left to functionindependently of the hardware TPM. All virtual PCRs, monotonic counters,non-volatile storage, and other TPM resources are stored and managed inthe memory of the DM.

The benefit of this design is that the functionality exposed by thedevice model is not hampered in any way by the functionality orperformance provided by the hardware TPM. Stronger keys, larger numbersof key slots and more PCRs are all easily supported. In addition,typical hardware TPMs are very resource constrained and are not veryhigh performance devices. However, the performance of a software-basedDM is not bound by that of the hardware TPM. For example, asoftware-based DM can support bulk encryption, whereas bulk encryptionwith a conventional hardware TPM is extremely slow.

3.2—Hardware-based vTPM Device Model

The second example vTPM device model attempts to maximize the use of theprotected processing within the hardware TPM. The main use of thehardware TPM resources is that all keys for each DM are stored in thehardware TPM, and private keys are never stored in main memory.

3.2.1—Key Hierarchy

This section describes the overall key hierarchy utilized in an exampleembodiment of a hardware-based device model. This example embodiment isdescribed in the context of DM 44A serving as a vTPM for VM 60A, asillustrated in FIG. 3.

Referring again to FIG. 2, TPM 30, as usual, maintains a standardendorsement key (hwEK) 52 and a storage root key (hwSRK) 50.Additionally, an AIK known as a key binding key (KBK) 160 is used toprotect vTPM keys.

Also, each DM may have appropriate keys and data structures to emulate ahardware TPM for each respective VM. For instance, in the exampleembodiment, DM 44A has a virtual EK (vEK) 150 and a virtual SRK (vSRK)152 whose parent key is hwSRK 50. Parented in the vSRK, there arevirtual signing keys (vSigKs) 154, virtual storage/encryption keys(vEncKs) 156, and virtual identity keys (vAIKs) 158. Additionalstructures in each DM for emulating a hardware TPM may include virtualPCRs (vPCRs) 92 and virtual DIRs (vDIRs) 94. Each DM may also containdata such as a virtual EK credential (vEK_Cred) 96 and one or morevirtual AIK credentials (vAIK_Cred) 98.

As indicated by the legend in the lower right corner of FIG. 2, storagekeys are illustrated as ovals with no fill, attestation identity keys(AIKs) are illustrated as ovals filled with horizontal lines, andsigning keys are illustrated as ovals filled with a pattern of dots. Inaddition, bolded ovals represent keys that are bound to PCRs 32 of TPM30. Lines between keys indicate parent/child relationships among thekeys. For example, those lines indicate that SRK 50 is a parent key forcertain virtual keys within each DM. Credentials are represented byparallelograms.

In one embodiment, the virtual keys and other structures or objectswithin a vTPM may have the same structure as hardware TPM keys orobjects, but the virtual objects within a virtual TPM are not merereferences to the standard objects within TPM 30, such as EK 52, SRK 50,and PCRs 32. Instead, as described in greater detail below, each virtualTPM gets its own distinct objects, such as vEK 150, etc. Those virtualobjects may be based on or derived from the objects of the hardware TPM.For example, in the example embodiment, the virtual SRKs and virtual EKsare children of the hardware SRK or, in the case of nested vTPMs, avirtual SRK ultimately based on the hardware SRK. By allowing for vTPMkeys to be rooted in vSRKs, this model allows for vTPM nesting.

Virtual TPM objects such as vEK 150, vSRK 152, and vPCRs 92 may in turnserve as the basis for additional virtual objects within DM 44A, such asvSigKs 154, virtual AIKs (vAIKs) 158, and virtual storage/encryptionkeys (vEncKs) 156. In the example embodiment, each DM may provide all ofthe functions provided by a corresponding hardware device, with the sameapplication program interfaces (APIs). For example, DM 44A may includeits own vDIRs 94, vPCRs 92, vAIKs 158, etc. Consequently, the guest OSin each VM may be completely unaware that the corresponding vTPM is nota hwTPM. The VMs may therefore use legacy OS code. In addition,according to the example embodiment, a processing system with aconventional hwTPM may be configured to provide vTPMs without requiringany modifications to the hwTPM.

The virtual machine architecture may leverage the hardware TPM toprotect the virtual keys and related data. In one embodiment, the vTPMkey hierarchies and related data are protected within a standard hwTPM.For example, the virtual TPM keys may be stored in, and never releasedfrom, the hardware TPM, unless the data is first encrypted.Consequently, if a virtual TPM is compromised, the public portions ofthe associated vTPM keys may possibly be subject to unauthorized use,but only for the duration of the compromise. In the examplehardware-based embodiment, all keys will remain inside the hardware TPM,and the private keys therefore cannot be stolen or used once thecompromise has ended.

A processing system according to the present invention may also providean attestation protocol architecture that allows vTPMs to provideconventional TPM attestation services. Remote challengers with noawareness of virtual TPMs may participate fully in the attestationprocess. Moreover, remote challengers with vTPM awareness may becapable, without additional protocols, of distinguishing hwTPMs fromvTPMs, and may then decide whether or not to trust a platform hosting avTPM. Remote challengers may include, without limitation, entities thatprovide data only to verifiably safe clients. Such a challenger may bereferred to as a third party data provider.

As indicated above, in the example hardware-based model, all keys foreach DM are stored in TPM 30. Depending on the capabilities of TPM 30and the particular security requirements of a particular implementation,one or more of other structures and data items, such as credentials 96and 98, vPCRs 92, vDIRs 94, etc., may also be stored in the hardwareTPM, or they may be stored in PSS 100 of GVTPM framework 40.

When a privacy CA creates an identity credential for a platform, theprivacy CA encrypts the identity credential to the platform's EK beforetransmitting the identity credential to the platform. In one embodiment,VM 60A operates as a platform interacting with privacy CA 76, and VM 60Auses a hardware-based vTPM device model (e.g., DM 44A). Accordingly,privacy CA 76 will encrypt the identity credential (e.g., vAIK_Cred 98)to the VM's vEK 150. This encryption protects the credential in transit.When VM 60A receives the identity credential from the privacy CA, VM 60Auses the vEK's private key from DM 44A to decrypt this credential. SincevAIK_Cred 98 is not in a TCG bound data structure, vEK 150 must be a TPMlegacy key in order to support decrypting this credential.

In the example embodiment, vSRK 152 and vEncKs 156 are traditional TPMstorage keys and require no special attention. Similarly, the vSigKs 154are traditional TPM signing keys and require no special attention.Identity keys, however, are only able to sign quoted PCR values. Thismeans the vAIK, if implemented as an AIK, would be unable to signvirtual PCRs stored in DM memory, since they are data that is externalto hwTPM 30. Therefore, vAIKs 158 may be implemented as TPM signingkeys. Quote structures may be constructed for virtual PCRs 92 in DM 44Aand then signed with a vAIK. Lastly, KBK 160 is a traditional bindingkey.

3.2.2—Enforcing Virtual PCRS on TPM Keys

The hardware TPM (e.g., TPM 30) and the VM using the vTPM (e.g., VM 60Ausing DM 44A) have different notions of what the current PCR values are.Care must be taken to ensure that information flow between the vTPM andthe TPM remains consistent. When a VM requests that a key be created inthe vTPM, that request is accompanied by vPCR bindings, though the guestmay not realize that the binding are virtual. When this request isforwarded to the hardware TPM, the PCR field in the request must betranslated into correct hwPCR bindings. DM's may use the GVTPM+TCB asbindings or omit them for performance. The resulting newly createdwrapped key returned from the hardware TPM will thus not contain thevPCR bindings requested by the VM. Since the wrapped key does notcontain those bindings, it may be possible for an attacker to bypass thevTPM, if attacker were to obtain the original wrapped key and load itdirectly into the hardware TPM.

Additionally, the wrapped key returned by a hardware TPM is a TCG_KEYstructure containing the TPM version, PCR bindings, public key,encrypted private key, and other information that is returned to therequester. The version and PCR binding information is that of thehardware TPM, not the vTPM. In order to preserve transparency, theTPM_KEY structure returned by the vTPM should have the vPCR bindings andthe vTPM version information. In one embodiment, to address this issue,the wrapped key returned by the vTPM will be a modified form of thewrapped key returned by the hardware TPM. For purposes of thisdisclosure, the wrapped key returned by the vTPM may be referred to as avTPM double wrapped key.

FIG. 4 presents a block diagram of an example embodiment of a vTPMdouble wrapped key. In FIG. 4, vTPM wrapped key 210 is a modified formof the wrapped key 200 returned by TPM 30. In one embodiment, theoperations below may be performed whenever VM 60A requests that a newkey be created by vTPM 44A, such as when DM 44A in VM60A creates a newvAIK, and processing system 20 proceeds to store that key in TPM 30.

In vTPM wrapped key 210, all public portions of the structure remainintact to ensure transparency. Also, as illustrated at block 214, theencrypted private key section 216 of the TCG_KEY structure will beexpanded to include the hwPCR bindings, authorization to use this key,the hardware TPM's version, a digest of the public portions of the key,and the original encrypted private key section, which is unreadable tothe vTPM device model (e.g., DM 44A). As indicated at block 212, the PCRbindings in the public portion of the TCG_KEY structure will be replacedwith the vPCR bindings, and the version will be set to that of the vTPM.The digest stored in the private portion will reflect thesemodifications. Lastly, the expanded private key section 216 will beencrypted with KBK 160 (described above). The result is a TCG_KEY 210with the expected version and vPCR bindings, and an unreadable encryptedsection, which, if passed to the hardware TPM, will not decryptproperly.

For use, the key returned to the user must be loaded into the virtualTPM (e.g., DM 44A), which will decrypt the private key section 216,verify the virtual PCR binding 212, and reconstruct the original wrappedkey 200. Once the vPCR and authorization are verified, the DM loads theoriginal wrapped key 200 into the TPM, including a copy 204 of privatekey section 216. The original wrapped key 200 will similarly bedecrypted by the hardware TPM and the hardware PCR binding 202 will beverified before the key 200 is fully loaded and available for use.

3.2.3—Other Device Model Resources

The virtual TPM device model may be unable to share most of the otherTPM resources across many DMs. Monotonic counters typically cannot beshared without modifying applications to expect non-exclusive counterusage, and therefore may either be permanently allocated to a specificDM or be implemented in software similar to that of the software-baseddevice model. The vTPM non-volatile storage can be stored in thehardware TPM, as long as it does not exceed the storage of the hardwareTPM. If the hardware TPM's storage is inadequate, non-volatile storagecan also be virtualized similarly to that of the software-based DM.

The VM must be able to create authorization sessions to use many of theTPM functions; however, it typically should not differentiate betweenfunctions handled by the vTPM device model directly and those passed onto the hardware TPM. In one embodiment, the DM transparently providesTPM functionality, from both itself and the hardware TPM, under a singleuser authorization session.

To accomplish this, the DM maintains separate authorization sessionswith both the VM and the hardware TPM. That is, the user will create anauthorization session with the DM as normal. The DM may do all the sameauthorization checks based on this session that a hardware TPM would do.If the DM provides the requested function directly, the DM may simplyupdate the session nonces and reply. If the DM needs the hardware TPM toprovide the service, the DM may create or reuse an existingauthorization session it has with the hardware TPM and make the request.Once the DM is done using the hardware TPM, it may update the nonces onthe user's session and reply.

4.0—Hardware Optimizations

The framework discussed above may provide TPM capabilities to multipleguests using a single conventional TPM. The framework may use eithersoftware or the hardware TPM to provide the TPM functionality; however,using the TPM to enforce virtual PCRs may be cumbersome. This sectiondescribes TPM features to optimize and simplify the hardware-baseddevice model. Those features include the following:

-   -   Virtual PCRs    -   Virtual Attestation Identity Keys    -   Virtual EK

A typical conventional TPM may be unable to store vPCRs, to allow theTPM to enforce key bindings and provide vPCR quotes. This leads to theneed for double wrapped keys, with the DM enforcing and managing vPCRs.A modified TPM that is capable of storing vPCRs removes a great deal ofcomplexity and provides increased performance. U.S. patent applicationSer. No. 11/095,034, assigned to the same assignee as the presentapplication, discusses technology to supporting PCRs and/or vPCRs forvirtual machines.

Once vPCRs are available in the modified TPM, AIKs should be able toquote them. In one embodiment, the modified TPM has the ability tocreate virtual AIKs (vAIKs) which quote the vPCRs rather than the mainPCRs.

Lastly, in order to effectively quote PCRs, a vAIK requires an identitycredential. As noted earlier, identity credentials are encrypted to theEK. In one embodiment, the modified TPM includes support for vEKs thatcan decrypt the credentials for the vAIK.

With these modifications, the performance of the hardware-based DMwithin GVTPM framework 40 may be increased, while simultaneouslyreducing the framework's complexity and therefore increasing itstrustworthiness.

5.0—Remote Deployment and Provisioning of Virtual TPMS

The use of TPMs on platforms may create new challenges for software anddata distribution. For example, an information technology (IT)department within an organization may create a software build or patch,and then push the build or patch to hundreds or thousands of machinesacross the organization. TPMs add a new dynamic to this process, due tothe way TPMs are used to protect keys and seal data. To distribute a newsoftware package to a machine, the IT department may find that any keyswhich are needed by that software need to be distributed to themachine's TPM.

The following paragraphs describe how vTPMs can be provisioned on onemachine (e.g., a server), and then distributed to other machines (e.g.,clients) with the software that is expected to make use of the vTPMs. Anexample usage model for the approach described below is in a businessenterprise; however, that approach or variations thereof can be used inany environment where the consumer of the services of the vTPM has asufficiently close relationship with the entity providing the services,such as when the client system runs software from a particular entity,and the client system uses that software to access data provided by thesame entity. For example, a client system in a physician's office couldobtain, from an insurance company, a vTPM along with a content viewer touse that vTPM. The client system could then use that content viewer toaccess protected insurance records from the insurance company. In anexample embodiment, the only entity that needs to trust the vTPM is theinsurance company, which is the same entity that provided the vTPM.

A remotely provisioned vTPM, unlike a normal vTPM, is created externallyto the platform in which it will operate. This means that the virtualmanufacturer authority will no longer sign both the endorsementcredential and the platform credential for the vTPM. In an exampleprovisioning environment, an IT department manufactures the vTPM,generates the endorsement key for that vTPM, signs the endorsementcredential, and then sends the vTPM and endorsement credential to adestination machine. Once the vTPM is inserted into the destinationmachine, the virtual manufacturer authority will create a platformcredential for the new vTPM and sign it. The signatures on these twocredentials identify two entities a challenger must trust. The ITdepartment had access to the private endorsement key as well as anyother keys that it preloaded into the vTPM, so the IT department signsthe endorsement credential. The vTPM architecture components (e.g.,GVTPM framework 40) and the platform's isolation mechanism integrate thevTPM into the software platform. They potentially have access to thesecrets stored in the vTPM. Therefore, these entities must also betrusted by the challenger. Consequently, the platform credential issigned by the virtual manufacturer authority.

If a challenger does not trust the entity that signs the endorsementcredential and the entity that signs the platform credential, thechallenger may reject attestations from this vTPM. In the case of anenterprise, the IT department will likely control the manufacturing ofthe vTPM, the vTPM platform, and the challenger software. Thus, there isan inherent trust among these entities. Similarly, a content providermay control manufacturing of vTPMs and related challenger software.Therefore, such a content provider may only need to trust the vTPMplatform.

On example mechanism for deployment is to transfer the vTPM to the PSSof the destination. How this is accomplished is dependent on theimplementation of the PSS and the GVTPM manager. In an exampleimplementation, the PSS maintains a storage key which it can prove toexternal entities is protected by a hardware TPM and bound to thespecific vTPM architecture. While this key is used to store state, itcan also be used to receive state. The following steps exemplify howthis transmission may occur.

-   -   1) The provisioner generates the new vTPM and all keys needed        within the vTPM. Also, the provisioner generates and signs the        new endorsement credential for that vTPM.    -   2) The provisioner requests that the destination PSS provide an        anti-replay nonce.    -   3) PSS sends the provisioner a nonce and optionally the public        key of the PSS. This key may already be known from a prior        communication.    -   4) The provisioner then encrypts the state of the new vTPM and        the nonce from step 3 to the storage key of the PSS.    -   5) The provisioner sends the encrypted blob to the PSS, along        with the endorsement credential for that vTPM.    -   6) The PSS receives the vTPM state, decrypts it, seals it like        it does all offline vTPMs, and records it as a known vTPM. This        vTPM is now officially part of the PSS's platform.    -   7) A virtual manufacturer authority for the PSS creates a        platform credential for the vTPM.        The PSS may now load and use the vTPM like it would any other.

When software requiring TPM keys is to be distributed to a client, ifthe vTPM were to be created on the client system instead of beingcreated on a server and then transferred to the client, the server wouldtypically need to instruct the client to create a vTPM, and then waitwhile the client generates each key required by the software. The clientcould then send the public key portions of the generated keys to theserver, and the server would then use those public keys to generate theapplication and data to deploy. If hundreds or thousands of clients areto be updated, this process could take a long time to complete.Moreover, the server does not have control of the environment generatingthe keys.

When the entity that creates keys will also be the challenger (i.e., theentity that will be requesting attestation or otherwise relying on thekeys), the approach introduced by this disclosure may provide a fasterand more efficient method for creating the necessary keys and vTPMs tosupport those keys.

As reflected in FIG. 2, like TPMs, vTPMs includes structures for storingdata that constitutes the state of the vTPM. For instance, some of thestate for a vTPM is stored in PCRs and DIRs. In addition, the state of avTPM may include various keys, credentials, counters, etc. For purposesof this disclosure, generating a significant portion of the state datafor a vTPM may be considered creating a vTPM.

In particular, for purposes of this disclosure, the generation of an EKconstitutes the creation of a vTPM. As described above, once a vTPM hasbeen created, it may be transferred to a target system. The rest of thestate for that vTPM may be generated when a platform, VMM, or VM takesownership of the vTPM. The process of creating a vTPM and transferringit to another processing system may be referred to in general as remoteprovisioning and deployment of the vTPM.

6.0—Migrating Virtual TPMs

In some environments, the fixed nature of the TPM is important. Someenvironments, however, could benefit from controlled mobility of the TPMacross platforms. The TCG has approved a mechanism by which a single keycan, with third party intervention, be migrated from one TPM to another.This mechanism can be cumbersome, however, particularly when more thanone key needs to be migrated. The paragraphs below introduce a new wayto migrate vTPMs from platform to platform in a controlled manner. Inthe example embodiment, all keys are migrated at once, without requiringthird party intervention for each key being migrated.

The method of migration described below provides important assurances.For instance, if a vTPM is advertised to have specific securityproperties, when a key is created in the vTPM, all stakeholders for thatkey must be assured that, if that vTPM is migrated to another platform,those security properties will also be present in the new platform.Also, when a vTPM is migrated, the vTPM state must be moved, not copied,from the source platform to the destination platform.

A migration policy is used to support guarantees of advertised securityproperties. This policy determines what criteria a vTPM architecture andthe platform mechanism protecting this architecture must meet in orderfor a particular vTPM to be migrated to that platform. Additionally,this policy is strictly enforced. In an example embodiment, a virtualmanufacturer authority serves the purpose of enforcing the migrationpolicy, and the virtual manufacturer authority maintains one key permigration policy (e.g., a signing key). When the virtual manufacturerauthority registers with the trusted CA in order to gain manufacturerstatus, the virtual manufacturer authority also sends data to identifythe migration policy that will be enforced by the virtual manufacturerauthority for any vTPM with credentials that the virtual manufacturerauthority signs with this signing key.

In an example embodiment, to support the creation of migratable vTPMs,in addition to the vTPM management functions that GVTPM manager 110 isnormally required to handle, GVTPM manager 110 will declare vTPMs aseither migratable or non-migratable during vTPM creation. MigratablevTPMs may require further specification to indicate which availablemigration policy will be used. For example, when the virtualmanufacturer authority creates an endorsement credential and a platformcredential, the virtual manufacturer authority may use a model numberindicating the vTPM is migratable, and may sign the credentials with itsmigratable vTPM manufacturer key. That is, the virtual manufacturerauthority may sign the credentials with a signing key recognized asbelonging to a manufacturer of migratable vTPMs.

Thus, in one embodiment, migratable vTPMs get their endorsementcredentials signed by one signing key, while non-migratable vTPMs gettheir endorsement credentials signed by a different signing key. Thismethodology allows better identification of migratable vTPMs. In someembodiments, one virtual manufacturer authority signs credentials formigratable vTPMs, and a different virtual manufacturer authority signscredentials for non-migratable vTPMs.

An example mechanism for migration is that the PSS on a source platformtransfers the state of a migratable vTPM to the PSS in a destinationplatform. How this transfer is accomplished is dependent on theimplementation of the PSS and the GVTPM manager.

In an example implementation, the PSS maintains a storage key which thePSS can prove to external entities is protected by a hardware TPM andbound to the specific vTPM architecture. While this key is used to storestate, it can also be used to receive state. If the PSS in a firstplatform (PSS 1) wants to migrate a vTPM to a PSS in a second platform(PSS 2), the following steps may transpire.

-   -   1. PSS 1 requests that PSS 2 transmit its storage public key and        proof of the bindings of this key.    -   2. PSS 2 sends its storage public key and a nonce to PSS 1.    -   3. PSS 1 evaluates the policy for the vTPM on PSS 2's state. PSS        1 should only migrate the vTPM if the policy declares PSS 2's        state to be trustworthy to provide safe operation of the vTPM        and to continue to uphold this policy for the next migration.    -   4. If PSS 2 passes, PSS 1 ensures that the vTPM is not running.        PSS 1 then encrypts the following to PSS 2's storage key: the        persistent state of the vTPM, the nonce from step 2, and the        measurement of the correct vTPM in which this state should run.    -   5. PSS 1 deletes the record for this vTPM from the list of known        vTPMs. This ensures that this state cannot be reloaded into this        service, and that when the migration is over, this vTPM will        only exist under PSS 2.    -   6. PSS 1 sends PSS 2 the encrypted blob, along with the        endorsement credential for the vTPM.    -   7. PSS 2 receives the vTPM state, decrypts it, seals it like it        does all offline vTPMs, and records it as a known vTPM. This        vTPM is now officially part of PSS 2's platform.    -   8. (optional) PSS 2's virtual manufacturer authority creates a        platform credential for the vTPM. It is inaccurate for the vTPM        to continue using PSS 1's platform credential, since the vTPM no        longer resides on that platform. However, since the        trustworthiness of the vTPM is only that of the weakest        configuration that will pass the policy, it is not critical for        security that this new credential be used.        PSS 2 may now load and use the vTPM like it would any other.

The safety of the migration protocol may be validated to prove that itensures the following: for a given migratable vTPM, the vTPM has neverbeen compromised during its movement. By an inductive proof methodology,this assurance may be established if two following propositions can beproven to a challenger:

-   -   1. The vTPM state was originally created in a safe vTPM.    -   2. If the vTPM is in a safe vTPM, the vTPM architecture will        only migrate the vTPM state to another safe vTPM.        The assurance of these two statements is found in the signatures        on the credentials. When the vTPM was created, its endorsement        credential was created and signed by a virtual manufacturer        authority. Prior to this, the virtual manufacturer authority        created its signing key and exchanged it, along with the        migration policy, with a certificate authority. This CA will not        sign an endorsement credentials for a virtual manufacturer        authority unless the CA recognizes the virtual manufacturer        authority as providing safe vTPMs and enforcing a safe migration        policy. A virtual manufacturer authority with credentials signed        by the CA therefore will never migrate a vTPM to a vTPM that is        not safe.

Typically, a challenger receives a set of PCRs signed by an AIK, and anaccompanying identity credential signed by a privacy CA. The challengermay base its assessment of the vTPM on this information. By seeing thiscredential, the challenger may safely conclude that the vTPM showed theprivacy CA an endorsement credential signed by a trustworthy signingkey. The privacy CA only trusts signatures that itself or another CA hasvouched for. The only way the signature on the endorsement credentialwill have been vouched for by another CA is if the signing key was in asafe virtual manufacturer authority and the signing key corresponds to amigration policy which only allows for migration to other vTPMs that aresafe.

Therefore, the existence of the identity credential should convince thechallenger that this vTPM was created in a legitimate vTPM, and that ithas never resided in a rogue vTPM before giving this attestation.

Similarly, the above migration approach may be initiated from theplatform to receive the vTPM, rather than the platform to provide thevTPM.

The disclosed migration methodology may be useful for a wide range ofapplications, including usage models in which individuals desire toaccess data from multiple machines. For example, a physician couldconveniently migrate vTPMs between a home computer and an officecomputer, to allow the physician to access protected medical recordsfrom more than one location. The types of protected data that could beaccessed include, without limitation, content protected by digital rightmanagement (DRM) protocols, proprietary content from the same entitythat provides the software for accessing the content, and personal,sensitive, and/or confidential information (e.g., medical records,financial data, etc.) that should only be available to certain entities.

Similarly, the above migration approach could support usage models that,in effect, liberate an individual's computing environment from anyparticular workstation. For example, the Internet Suspend/Resume (ISR)project described athttp://info.pittsburgh.intel-research.net/project/isr/ pertains to an“approach to mobile computing in which a user's computing environmentfollows the user [across workstations] as he or she travels.” The ISRproject describes one example deployment of a transportable computingenvironment as follows:

-   -   For example, imagine a telecommuter who works from home in the        morning and at the office in the afternoon. After completing a        morning's work, the user clicks “suspend” on the home machine        and begins to travel to the office. While the user is en route,        the state of the user's computing environment is also en route,        through the network, to the machine in the user's office. When        the telecommuter arrives at the office, the office machine is        presenting the same environment that the user left at home: the        same applications and files are open, the windows are all in the        expected places, and the cursor is in the appropriate location.        Such a model and similar models could use vTPM migration to        support transportable, TPM-protected computing environments,        such as an environment that includes a TPM-protected OS,        TPM-protected applications, and/or TPM-protected data.        8.0—Conclusion

This disclosure describes a generalized framework for virtualization ofsecurity coprocessors such as TPMs. An example embodiment uses a TPM toenable secure virtual TPM operation. Disclosed embodiments allowmultiple VMs to use TPM functionality without requiring multiplededicated hardware TPMs, without requiring modification to the softwarewithin a VM, and without requiring modification to remote entities thatinteract with a TPM or vTPM-protected system. According to the presentdisclosure, a virtual TPM can measure the OS and applications in a VM toprovide attestation to remote entities. Moreover, a virtual TPM canattest to a VM's state for a hardware TPM challenger, even though thehardware TPM and the challenger may utilize only the functionalitydescribed in the current TPM specifications, such as the TPM Version 1.2Design Specification referenced above. The guest OS in a VM may remainunaware that a hardware TPM is being shared, and trust relationships arenot required between the VMs within a system.

The disclosed framework may also facilitate the development of secure,software custom cryptographic subsystems which, if implemented inhardware, would be cost prohibitive. Virtual TPMs enable the combinationof isolation created by VM technology with TPM functionality thatprovides hardware-based secure storage and attestation. Customcryptographic subsystems enable richer functionality than that of theTPM for providing access controls and cryptographic protocols. Thisdisclosure includes embodiments illustrating examples of how theframework can be used in accordance with different security andperformance tradeoffs, while ensuring virtualization transparency. Thismeans that applications do not need to treat TPM access from within VMsdifferently than TPM access on platforms without virtualization. Forinstance, applications may use the same APIs to communicate with DMs asthey would to communicate with physical security coprocessors.

This disclosure also describes additional hardware TPM features forenabling simpler, optimized TPM virtualization. In addition, thisdisclosure describes mechanisms for remotely provisioning and deployingvirtual TPMs, and for migrating virtual TPMs between platforms.

As indicated above, different embodiments may rely more or less on ahardware TPM to protect data. For instance, all keys may be stored in ahardware TPM, or for increased flexibility and/or performance, virtualkeys can be created and used by the vTPM software, and the virtual keysmay not be stored in or directly protected by the hwTPM. Private keysbelonging to or generated by the virtual TPM may not be operated on bythe hardware TPM, in that the hardware TPM may not use those privatekeys to perform cryptographic operations. Instead, the virtual TPM mayuse the host processor and cryptographic software to performcryptographic operations with its private keys. To do this, the virtualTPM service may store its private keys in protected host memory.However, while the private key is not in use, the virtual TPM servicemay use hardware TPM features to wrap the key to its softwareconfiguration.

These options may allow the vTPM to encrypt, decrypt, sign, and verifyobjects in the vTPM software with much higher performance than may beprovided by a hardware TPM. These options may thus be preferred for bulkencryption or use in performance-sensitive server environments, forinstance. However, a tradeoff for added performance is that virtual keysmay be permanently compromised if a vTPM is compromised.

In light of the principles and example embodiments described andillustrated herein, it will be recognized that the illustratedembodiments can be modified in arrangement and detail without departingfrom such principles. For example, virtual TPMs have been described inconnection with VMs, but alternative embodiments also include vTPMs usedin connection with other types of system subdivisions, such aspartitions within a server or group of servers that share a hardwareTPM. For instance, virtual TPMs may be used in a four-processor systemthat is partitioned into two logical two-processor systems. Theteachings herein could also be used to provide a logical TPM to one ormore service coprocessors, or to one or more other types of independentprocessing elements on a hardware platform.

Furthermore, alternative embodiments include vTPM services that do notemulate a hardware TPM, but do extend and/or amplify the capabilities ofa hardware TPM (e.g., by providing more PCRs, more storage, etc.).Alternative embodiments also include a virtual TPM service running ontop of a secure OS, on top of a managed run-time environment (MRTE), ina service processor or coprocessor, in a system management mode (SMM) ofa platform, etc. Instead of or in addition to providing virtual TPMs,additional embodiments provide other kinds of emulated securitycoprocessors.

Also, the foregoing discussion has focused on particular embodiments,but other configurations are contemplated. In particular, even thoughexpressions such as “in one embodiment,” “in another embodiment,” or thelike are used herein, these phrases are meant to generally referenceembodiment possibilities, and are not intended to limit the invention toparticular embodiment configurations. As used herein, these terms mayreference the same or different embodiments that are combinable intoother embodiments.

Similarly, although example processes have been described with regard toparticular operations performed in a particular sequence, numerousmodifications could be applied to those processes to derive numerousalternative embodiments of the present invention. For example,alternative embodiments may include processes that use fewer than all ofthe disclosed operations, processes that use additional operations,processes that use the same operations in a different sequence, andprocesses in which the individual operations disclosed herein arecombined, subdivided, or otherwise altered.

Alternative embodiments of the invention also include machine accessiblemedia encoding instructions for performing the operations of theinvention. Such embodiments may also be referred to as program products.Such machine accessible media may include, without limitation, storagemedia such as floppy disks, hard disks, CD-ROMs, ROM, and RAM; as wellas communications media such antennas, wires, optical fibers,microwaves, radio waves, and other electromagnetic or optical carriers.Accordingly, instructions and other data may be delivered overtransmission environments or networks in the form of packets, serialdata, parallel data, propagated signals, etc., and may be used in adistributed environment and stored locally and/or remotely for access bysingle or multi-processor machines.

It should also be understood that the hardware and software componentsdepicted herein represent functional elements that are reasonablyself-contained so that each can be designed, constructed, or updatedsubstantially independently of the others. In alternative embodiments,many of the components may be implemented as hardware, software, orcombinations of hardware and software for providing the functionalitydescribed and illustrated herein.

In view of the wide variety of useful permutations that may be readilyderived from the example embodiments described herein, this detaileddescription is intended to be illustrative only, and should not be takenas limiting the scope of the invention. What is claimed as theinvention, therefore, is all implementations that come within the scopeand spirit of the following claims and all equivalents to suchimplementations.

1. A method comprising: launching a virtual manufacturer authority in aprotected portion of a processing system; creating a key for the virtualmanufacturer authority, wherein the key is protected by a trustedplatform module (TPM) of the processing system, and the key is bound toa current state of the virtual manufacturer authority; creating avirtual security coprocessor in the processing system; transmitting adelegation request from the processing system to an external certificateauthority (CA) for delegation of TPM manufacturer status and platformmanufacturer status to the virtual manufacturer authority via acertificate regarding the delegation, the certificate provided from theexternal CA to other CAs via a network, the delegation revocable by theexternal CA, wherein revocation of the delegation is communicated to theother CAs; and after transmitting the delegation request and generationof the certificate, using the key to attest to trustworthiness of thevirtual security coprocessor by generation of an endorsement credentialand a platform credential by the virtual manufacturer authority usinginformation about the virtual security coprocessor, and signing theendorsement credential and the platform credential using the key for thevirtual manufacturer authority, and appending the signature to theendorsement credential and the platform credential to create a finishedcertificate, without obtaining credentials from an external processingsystem.
 2. A method according to claim 1, further comprising: obtainingan identity credential associated with the virtual manufacturerauthority; and using the identity credential to support the delegationrequest.
 3. A method according to claim 1, comprising: creating anidentity key for the virtual manufacturer authority; obtaining anidentity credential for the identity key; and using the identity key andthe identity credential to support the delegation request.
 4. A methodaccording to claim 3, wherein the operation of obtaining an identitycredential for the identity key comprises obtaining the identitycredential from a privacy CA.
 5. A method according to claim 1, whereinthe processing system comprises a first processing system, the methodcomprising: obtaining, from a second processing system, an identitycredential for an identity key; creating a signing key for the virtualmanufacturer authority; and using the identity key to certify thesigning key.
 6. A method according to claim 1, wherein the processingsystem comprises a first processing system, the method comprising:obtaining, from a second processing system, an identity credential foran identity key; creating a signing key for the virtual manufacturerauthority; using the identity key to certify the signing key; and usingthe signing key to certify the credentials for the virtual securitycoprocessor.
 7. A method according to claim 1, further comprising:measuring the virtual manufacturer authority, wherein the current stateof the virtual manufacturer authority is based at least in part on themeasurement of the virtual manufacturer authority.
 8. A method accordingto claim 1, further comprising: measuring the virtual manufacturerauthority; and before transmitting the delegation request to theexternal CA, extending data stored in the TPM to reflect the measurementof the virtual manufacturer authority.
 9. A method according to claim 1,further comprising: measuring the virtual manufacturer authority; andbefore creating a key for the virtual manufacturer authority, extendingdata stored in the TPM to reflect the measurement of the virtualmanufacturer authority.
 10. An apparatus comprising: a machineaccessible medium; and instructions encoded in the machine accessiblemedium, wherein the instructions, when executed by a processing systemhaving a hardware trusted platform module (TPM), cause the processingsystem to perform operations comprising: launching a virtualmanufacturer authority in a protected portion of the processing system;creating a key for the virtual manufacturer authority, wherein the keyis protected by the TPM, and the key is bound to a current state of thevirtual manufacturer authority; creating a virtual security coprocessorin the processing system; transmitting a delegation request from theprocessing system to an external certificate authority (CA) fordelegation of TPM manufacturer status and platform manufacturer statusto the virtual manufacturer authority via a certificate regarding thedelegation, the certificate provided from the external CA to other CAsvia a network; and after transmitting the delegation request andgeneration of the certificate, using the key to attest totrustworthiness of the virtual security coprocessor by generation of anendorsement credential and a platform credential by the virtualmanufacturer authority using information about the virtual securitycoprocessor, and signing the endorsement credential and the platformcredential using the key for the virtual manufacturer authority, andappending the signature to the endorsement credential and the platformcredential to create a finished certificate, without obtainingcredentials from an external processing system.
 11. An apparatusaccording to claim 10, wherein the processing system comprises a firstprocessing system and the instructions cause the first processing systemto perform operations comprising: obtaining, from a second processingsystem, an identity credential for an identity key; creating a signingkey for the virtual manufacturer authority; using the identity key tocertify the signing key; and using the signing key to certify thecredentials for the virtual security coprocessor.
 12. An apparatusaccording to claim 10, wherein the instructions cause the processingsystem to perform operations comprising: obtaining an identitycredential associated with the virtual manufacturer authority; and usingthe identity credential to support the delegation request.
 13. Anapparatus according to claim 10, wherein the instructions cause theprocessing system to perform operations comprising: creating an identitykey for the virtual manufacturer authority; obtaining an identitycredential for the identity key; and using the identity key and theidentity credential to support the delegation request.
 14. An apparatusaccording to claim 13, wherein the operation of obtaining an identitycredential for the identity key comprises obtaining the identitycredential from a privacy CA.
 15. An apparatus according to claim 13,wherein the instructions cause the processing system to performoperations comprising: obtaining, from a privacy CA, an identitycredential for an identity key; creating a signing key for the virtualmanufacturer authority; and using the identity key to certify thesigning key.
 16. An apparatus according to claim 13, wherein theprocessing system comprises a first processing system, the methodcomprising: obtaining, from a second processing system, an identitycredential for an identity key; creating a signing key for the virtualmanufacturer authority; using the identity key to certify the signingkey; and using the signing key to certify the credentials for thevirtual security coprocessor.
 17. An apparatus according to claim 13,further comprising: measuring the virtual manufacturer authority; andbefore transmitting the delegation request to the external CA, extendingdata stored in the TPM to reflect the measurement of the virtualmanufacturer authority.
 18. A processing system comprising: a processor;a security coprocessor communicatively coupled to the processor; amachine accessible medium communicatively coupled to the processor; andinstructions in the machine accessible medium, wherein the instructions,when executed, cause the processing system to perform operationscomprising: launching a virtual manufacturer authority in a protectedportion of the processing system; creating a key for the virtualmanufacturer authority, wherein the key is protected by the securitycoprocessor, and the key is bound to a current state of the virtualmanufacturer authority; creating a virtual security coprocessor in theprocessing system; transmitting a delegation request from the processingsystem to an external processing system for delegation of trustedplatform module (TPM) manufacturer status and platform manufacturerstatus to the virtual manufacturer authority via a certificate regardingthe delegation, the certificate provided from the external processingsystem to other processing systems via a network; and after transmittingthe delegation request and generation of the certificate, using the keyto attest to trustworthiness of the virtual security coprocessor bygeneration of an endorsement credential and a platform credential by thevirtual manufacturer authority using information about the virtualsecurity coprocessor, and signing the endorsement credential and theplatform credential using the key for the virtual manufacturerauthority, and appending the signature to the endorsement credential andthe platform credential to create a finished certificate, withoutobtaining credentials from the external processing system.
 19. Aprocessing system according to claim 18, wherein the instructions causethe processing system to perform operations comprising: obtaining, froma second processing system, an identity credential for an identity key;creating a signing key for the virtual manufacturer authority; using theidentity key to certify the signing key; and using the signing key tocertify the credentials for the virtual security coprocessor.
 20. Anapparatus according to claim 18, wherein: the security coprocessorcomprises a trusted platform module (TPM); and the instructions causethe processing system to perform operations comprising: measuring thevirtual manufacturer authority; and before transmitting the delegationrequest to the external processing system, extending data stored in theTPM to reflect the measurement of the virtual manufacturer authority.